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I. INTRODUCTION 


Computers are increasingly being used as passive (monitoring) and active 
(controlling) components of real-time systems, e.g., air traffic control, 
aerospace, aircraft, industrial plants and hospital patient monitoring 
systems. The problems of safety become important when these 
applications include systems where the consequences of failure are 
serious and may involve grave danger to human life and property. 
[Ref. 1] 

Increasingly, in the world today, the trend is to implement functionality 
through software. Both the military and industry are becoming more and 
more dependent on software products. Older weapons platforms are 
undergoing system upgrades to significantly increase their service life that 
includes additional digital hardware and software. In 1955 only 10 percent 
of our weapons systems required computer software. Today the figure is well 
over 80 percent [Ref. 2]. 

The increase in reliance on software has led to safety critical factors that 
are significant. Since the techniques for software safety analysis are less 
mature than those of hardware safety. Much remains to be learned about 
applying safety considerations to the design and evaluation of computer- 
controlled real-time systems. Many major safety critical system purchases are 


now incorporating requirements for software safety analysis and verification 


in their contracts [Ref. 3]. 


The military has responded by publishing several standards for testing 
and verification of software systems. These include MIL-STD-SNS (1986), 
MIL-STD-882B (1984), and MIL-STD-1574A (1979). MIL-STD-SNS (USN) 
is a Navy standard that covers software safety analysis for nuclear weapons 
systems. MIL-STD-882B (DOD) is a Department of Defense standard for 
software hazard analysis and software safety verification. Finally 
MIL-STD-1574A (USAF) is an Air Force standard that lists the requirements 
for software safety analysis and integrated system safety. [Ref. 4] 

Problems, however, still exist in verifying the safe states of software 
controlled systems. The number of states in imbedded software systems 
prohibit the realistic testing and verification of these systems. It is impossible 
to simulate all the different types of hardware errors, transient faults, and 
system interface errors in the design of a complex piece of software. 
Therefore, the overall system view is critical. The greatest source of problems 
encountered in computer controlled systems is in the lack of system level 


methods and viewpoints. [Ref. 4] 


A. WHAT IS SOFTWARE SAFETY? 
In order to have a common place to start some preliminary working 
definitions need to be presented. Complete safety cannot be achieved since 


nothing is completely safe under all conditions. For example, the act of 


drinking too much water can cause kidney failure [Ref. 5]. Therefore, safety 
is a concept that needs to be measured with regards to the situation in which 
it is being applied. 

Safety can be defined in terms of hazards or undesired states of a 
system. When these states are combined with other, perhaps totally unrelated, 
environmental factors conditions exist that could lead to a mishap. Risk is 
also a part of these factors. It is a function of the probability of the actual 
hazardous state occurring. Secondly, once the hazardous state has occurred, 
what is the probability of that hazard leading to a mishap? And finally, what 
is the perceived severity of the worst potential mishap that could result from 
the hazard? [Ref. 4] 

Safety can then be defined as a measure of the degree of freedom from 
risk in any environment. Software safety, therefore, can be considered 
freedom from software failures that could cause damage or injury. Software, 
however, is not inherently unsafe. It cannot, by itself, cause physical damage 
or injury. The software acts in conjunction with hardware to do something 
that can be physically accomplished. This physical task may then have the 
chance to cause an incident or mishap. 

Software and hardware must be treated as a single unit in order to be 


analyzed. Software engineering techniques that do not consider the system as 


a whole, including the interactions between the hardware, software, and human 
operators, will have limited usefulness for real-time control software [Ref. 4]. 

Safety and reliability, although sometimes thought of as the same, are 
not. This is especially true with respect to software. Safety is the probability 
that a mishap or accident will not occur regardless of whether or not the 
intended function is performed. Reliability is defined as the probability that 
the system will perform its intended function for a specified period of time 
under a set of specified environmental conditions. [Ref. 6] 

In general, for a system to be reliable it must work correctly and be 
failure free. The system 1s designed so that the software can react for every 
possible software error. Safety is concerned with only those errors that cause 
a system hazard. This is not to say that all software errors cause safety 
problems and all software that functions according to the specifications is safe 
[Ref. 3]. Serious mishaps have occurred while software was operating exactly 


as intended and a failure was not present [Ref. 7]. 


B. INTRODUCTION TO SOFTWARE SAFETY ANALYSIS 
Software safety analysis needs to begin when a project 1s started and 
continued throughout the life cycle of the system. A goal of any safety 


analysis is to show that the system is safe. The system must be able to 


operate safely under normal working conditions or the normal intended 
conditions. It must also be able to respond safely with the presence of errors 
or faults. Software or any software system must not let one simple fault 
disrupt its operation. The system must prove that hazards resulting from 
sequences of failures are also sufficiently remote. [Ref. 4] 

To fully test or analyze all sequences of failures is, for all practical 
purposes, impossible. Therefore, the safety analysis procedures must begin to 
decompose the problems. An attempt must be made to define what is 
hazardous and then judge the likelihood of its occurrence. This approach 
lends itself to a backwards type of analysis. The hazards, once grouped, can 
then be placed in severity categories with probabilities assigned to each 
category. This can better define and focus which hazards would cause the 
worst credible mishap. [Ref. 4] 

Once the preliminary hazard analysis is completed, detailed software 
hazard analysis can begin. The techniques in the initial stages of the analysis 
focus on the most damaging failures. The method of analysis starts with a 
given set of unacceptable failures and then by backward reasoning ensures that 
each failure is eliminated or at least minimized in its severity. [Ref. 4] 

One method that is used to model a system is timed Petri nets. Petri 
nets (Peterson, 1981) allow mathematical modeling of discrete-event systems 


in terms of conditions and events and the relationship between them [Ref. 4]. 


Faults and failures can then be incorporated into the Petri net model to 
determine their effect on the system [Ref. 1]. 

Another verification methodology for safety analysis involves the use of 
software fault tree analysis (SFTA) [Ref. 8]. Software fault tree analysis is 
a static analysis of a system in order to ascertain software safety 
requirements. The technique can also detect software logic errors and 
identify multiple failure sequences involving different parts of the system. 
The backward approach is once again used starting from the undesired event. 
The sequence of actions are stepped through using gates to reach a 
contradiction of the undesired event. [Ref. 4] 

This thesis looks at the relationship and possible integration of Petri nets 
and fault free analysis. Software updates to a weapons system occur quite 
frequently over the life cycle of a system. New and more powerful computers 
are added to many existing systems to increase their overall system 
effectiveness. These factors have contributed to more and more software 
being required to meet these needs. Exhaustive testing of software in many 
cases is not feasible. Many older systems lack formal and stringent 
specifications from the original system. Reverse engineering, therefore, is 
performed on the update to ensure that the system works correctly. If the 


update was limited in scope, testing can still be accomplished. However, with 


today’s complex and more sophisticated systems designers and implementers 
will not have this luxury. 

Certainly, for today’s safety critical systems, as much testing that can be 
done needs to done. However, new methodologies to analyze safety-critical 
computer or software controlled systems need to be developed. Combining 
Petri net analysis and fault tree applications may be one way to reduce the 
number of states or events that must be inspected. Critical states that could 
cause personal injury or property destruction must in some way be singled 
out. If these critical states are recognized and analyzed appropriate action can 
be taken. 

Systems in many of today’s applications are extremely complicated. In 
order to assist in a Safety evaluation the system must be fully understood. 
Petri nets help in modeling the system in terms of conditions and events and 
the relationship between them. Once the system is properly understood fault 
tree analysis can be done in areas where possible problems exist. Today, 
there are no easy or widely accepted software safety techniques that have been 
validated completely [Ref. 4]. 

This thesis examines one particular real-life software upgrade. It then 
evaluates a method to apply Petri net and fault tree analysis to the safety 


issues associated with the upgrade. This analysis evaluates critical faults that 


may exist in the software. This technique may help in finding and 
eliminating safety critical faults in other software. 

The actual system under investigation is the proposed upgrade to the 
Operational Flight Program (OFP) 240 for the Grumman A-6E aircraft. The 
proposed upgrade, named OFP 250, is under development at the Naval 
Weapons Center in China Lake, California. Due to time constraints and levels 
of expertise one specific weapon system was chosen for evaluation. The 
actual safety analysis considered the additional functionality of the master arm 
weapons switch. The ability to place the master arm switch in the practice 
mode and interface with live weapons was not implemented in the previous 
release. OFP 250 changes the function of the master arm switch to let the 
aircrew practice and interface with live weapons carried on the aircraft. In 
addition, three new computers were added immediately prior to the OFP 240 
upgrade. These new computers added additional complexity to the master arm 


practice problem. 


II. BACKGROUND TO SOFTWARE SAFETY TECHNIQUES 


A. SOFTWARE SAFETY DEFINITIONS 

As software and computer programs have become larger the number of 
bugs in these programs have also grown. The ability to test for all cases in 
a large software program is, in practice, nearly impossible. At the same time, 
our reliance on computers that do critical tasks has grown tremendously. In 
order to deal with these inconsistencies, software safety has become a vital 
piece of the total system safety puzzle. Software safety analysts have agreed 
on certain definitions to help in defining this area of research. These 
definitions are set down by the IEEE Standards Committee and will be 
followed throughout this thesis [Ref. 9]. These definitions are listed in 


Appendix A. 


B. SOFTWARE FAILURE MODES 

When designing software some knowledge of the different types of 
failures that can occur should be understood. It has been fairly evident from 
research and by example that software does not fail due to wear. Software 
failures are actually program errors that exist in the system. Therefore, five 


system failure modes can be defined: 


l. Premature operation of a component (operation not required or the 
operation was too early). Error of commission. 


2. Failure of a component to operate at a prescribed time (operation left 
out of sequence or it was too late). Error of omission. 


3. Failure of a component to cease operation at a prescribed time 
(calculation takes too long or no termination condition, infinite loop). 


4. Failure of a component during operation, i.e., incorrect output. 


5. Failure of a component to recognize a hazardous condition that must 
require some type of corrective action. [Ref. 10] 


These identifiable failure modes should be the basis by which we begın 


to analyze key conditions in a software system. [Ref. 11] 


C. SYSTEM SOFTWARE APPROACHES 

Five approaches can be identified that are currently being used to 
enhance safety design. These are hazard elimination; hazard limitation; a 
group of hardware and software mechanisms that includes lockouts, lockins, 
and interlocks; fail-safe design; and failure minimization. A brief description 
of each will follow. 

Hazard elimination can be done during the design phase. As the design 
continues to be inspected problems will be uncovered. Those design problems 
that lead to hazards should be eliminated. However, the problems may be 
dependent on hardware or the environment. A computer controlled insulin 


pump is an example of how the environment can effect software. The insulin 
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pump is set to monitor blood sugar levels in the body. A certain lower level 
of blood sugar corresponds to an increase in insulin. However, there are 
environmental factors such as diet or exercise that require different rates for 
the pump to add the insulin to the body. The pump must be guaranteed not 
to exceed a fixed maximum rate. Therefore, software cannot be the only 
way to eliminate a hazard. Software and hardware must work in conjunction 
to help solve the problem of hazards. In the above case software would need 
to issue commands to ensure the pump acted correctly for the given set of 
circumstances and blood sugar levels. 

In software terms a hazard is an unsafe state. If the system 1s allowed 
to enter an unsafe state this condition can lead to a mishap or safety failure. 
The system was able to proceed to the unsafe state by a series of critical 
faults that produced a critical error. Therefore, to eliminate the unsafe state it 
is necessary to try and eliminate these prior errors and faults. 

Some of the techniques that help eliminate hazards include formal 
requirements and specification languages, design tools, preliminary hazard 
analysis (PHA), fault tree analysis (FTA), and Petri net analysis. [Ref. 11] 

Hazard limitation is another piece of the puzzle to help enhance safety 
design by reducing the scope of the hazard, thereby limiting the problem. 
The idea is to detect the hazardous condition at a low enough energy level to 


insure that sufficient time remains to take a recovery action. 
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Monitor systems must be extremely reliable. The program must be able 
to continually check and cross check conditions. These monitoring programs 
can be implemented in software. However, the software must not only 
monitor the situation but also take action. Warnings can be used in 
conjunction with the monitoring system. An aural waming for a radar 
altimeter set to a desired altitude or an automatic fly-up while on a terrain 
following mission are examples of the performance needed by monitoring 
software. [Ref. 11] 

Lockouts, lockins, and interlocks are based on two principles: 

l. isolate a hazard once it has been recognized 


2. prevent incompatible events from occurring, from occurring at the 
wrong time, or from occurring in the wrong sequence [Ref. 10]. 


These mechanisms are designed to be accomplished primarily through 
hardware. A lockout prevents entering an unsafe state or prevents an event 
from actually occurring. A lockin maintains an event or keeps something 
from leaving a safe state. Interlocks are the mechanisms provided to avoid 
timing failures by ensuring that events happen in the correct order. Many of 
these features have been used for operating systems problems. The types of 
mechanisms that deal with these problems are semaphores, monitors, and 


kernels. Therefore, it should be safe to assume that the experience gained 
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from applying these techniques to operating systems will aid in safety critical 
applications. [Ref. 11] 

Fail-Safe design tries to ensure that when a failure happens the system 
will remain in a safe state. The system will try to remain in or reach a state 
in which no damage or injury can result. Fail-Safe design can be categorized 
into three types: fail-passive, fail-active, and fail-operational. These fail- 
safe designs are described below: 

1. Fail-passive design reduces a system to its lowest energy level in the 
event of a failure (e.g., disarming a missile after a certain period of 
time). A circuit breaker type fuse for the system. It should be used 
when no action by the system is a safe action. 

2. Fail-active (fail-soft) design reduces the energy level of the other 
system in a stepwise fashion in the event of a failure. It should be 
used in systems when there is some degree of system activity that 
must be maintained to remain safe. Malfunctioning components are 
modularized. Each module can be independently terminated. This 
avoids a total crash of the system (e.g., water valves for cooling a 
nuclear power plant remain open while the system makes critical re- 
calculations on data). 

3. Fail-operational design (fault-tolerance) ensures full system 
functionality in the event of a failure. It uses redundancy (parallel 
or switching) for critical modules that are required to maintain safety 
(e.g., an automatic hands off landing system for aircraft). [Ref. 11] 

The last method is failure minimization. Some software systems are so 
vital that they cannot afford to fail. Therefore, the actual number of times 


the system fails must be reduced. One way to meet these goals is to try and 


limit failures especially under heavy load conditions. If the system is going 
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to fail, it is hopefully at a time when system operation can be continued in 
some other manner. 

Redundancy is used in many cases in fail minimization systems. This 
does, however, become expensive. The same software cannot be used as the 
backup since it will have the same errors as the front line system. Different, 
independent software must be developed and tested to ensure that the backup 
works correctly. [Ref. 11] 

Research continues to try and help in ways to develop methods that 
provide for techniques that aid in software safety. One goal is to produce 
safe designs for software, while at the same time, maintain system 
performance [Ref. 12]. Another concern is to develop ways to analyze 
already existing software. The design must be able to find failure modes or 
scenarios that could lead to a specific safety failure. Two techniques that can 
assist in the development and analyzing of safe software are fault tree analysis 
(FTA) and Petri net analysis. These two techniques will be presented for 
modeling of components in a system. The analysis that is done on the system 
will show that the information gathered can identify safety area concerns and 


be useful in further software safety design. 
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D. FAULT TREE ANALYSIS 

Fault tree analysis (FTA) was developed in the early 1960’s to analyze 
the safety of electro-mechanical systems [Ref. 13]. Evolving from FTA was 
software fault tree analysis (SFTA). This extended the concepts into systems 
that contained software as subcomponents. FTA starts by defining an 
undesired system state or hazard. The system is analyzed in the context of 
its environment and operation to find a plausible sequence of events that can 
lead to a hazard. The fault tree is essentially a graphic model of various 
parallel and sequential combinations of events or system states. The result of 
these combinations is the occurrence of the predefined undesired event or 
proof that the undesired event cannot occur. 

The undesired event could occur due to component failure, human error, 
or environmental conditions. Therefore, the fault tree depicts the logical 
interrelationship of basic events that lead to an undesired event. [Ref. 14] 

It is also important to understand what a fault tree is not. It is not a 
model of all possible system failures or reasons the system may fail. Each 
particular fault tree must be tailored to its singular, corresponding, failure 
scenario. With the possibility of an almost infinite number of ways leading 
to an undesired event the path chosen is the one most credibly decided on by 


the analyst. 
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E. SOFTWARE FAULT TREE ANALYSIS 

Software fault tree analysis begins in a manner much like hardware fault 
tree analysis. The software approach uses a subset of the symbols used in 
hardware analysis (Appendix B). This allows software and hardware trees to 
be interfaced, linked, and analyzed together. It also allows for greater 
freedom in order to include human error and hardware failure during the 
analysis. [Ref. 15] 

The basic procedure for FTA starts with ıdentifying a hazard that has or 
could occur. The hazard is the root of the fault tree. The nodes below are 
the necessary preconditions that are needed to have the hazard occur. The tree 
builds in a backward way to determine the possible paths that may lead to 
this particular hazard. These relationships are built by using AND or an OR 
gate until each subnode has been analyzed to the lowest possible level. [Ref. 
14] 

After the fault tree has been built to the software interface, higher level 
requirements for software safety can be delineated. Unsafe software behavior 
may result from any number of conditions. Some examples include the 
failing to perform a required function, performing a function not required, 
failing to enforce a required sequence, or failing to recognize a hazardous 


condition. [Ref. 14] 
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Once the system has been modeled by the FT'A the hazardous software 
behavior can be further modeled by SFTA. This can be applied at the design 
or code level. This analysis can lead to identifying software critical items and 
components, the detection of software logic errors, the determination of the 
initial conditions, and logical places for run time checks in the software. 
[Ref. 14] 

SFTA is designed to work backwards just as FTA does. The SFTA 
attempts to verify that the program as written will not allow, under any 
circumstance, an unsafe state to be reached. This type of analysis does not 
deal with incorrect states that are not defined to be hazardous. Most of the 
real-time systems that are dealt with have two goals in mind. One is 
accomplishing the mission or function at hand. The second is to not cause 
harm, while in the process of accomplishing the mission. SFTA only 
addresses the second portion of stated the goals. [Ref. 14] 

Proof by contradiction is conveniently used in SFTA since the goal of 
the analysis is to prove that the software will not permit some event. If the 
analysis can prove a contradiction to the loss event then the event cannot 
happen with the software. SFTA forces the analyst to consider what the 
software is not supposed to do. This thought process is opposite the normal 


approach of what is the system software required to do. The environment is 
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also considered by this approach. Therefore, the most critical assumptions 


about the environment can also be considered. [Ref. 14] 


F. PETRI NET ANALYSIS 

Petri net theory was originally developed by A. W. Holt and others 
based on the works of Carl Adam Petri [Ref. 16]. Petri’s efforts were 
directed to design a new model of information flow in a system. As 
computer systems have developed, concurrency of operations have become 
more and more common. This has lead to complex interactions between 
concurrently executing components. This makes it nearly impossible to 
understand the entire system. [Ref. 17] 

Petri nets have been developed to aid in the understanding of concurrent 
systems because they have the ability to model parallelism and 
synchronization. This new approach realized that relationships between 
components of a system could be represented by a graph or net. [Ref. 17] 

The analysis by a Petri net can uncover possible problems within the 
system and get them corrected. The ultimate goal would be the ability to 
analyze a system using a Petri net and then manipulate the net to derive the 
properties of the modeled system. Questions can be raised that significantly 


enhance the ability to investigate the problem. For example, what states are 
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reachable in a given Petri net? What different sequence of transition firings 
are possible? [Ref. 17] 

Petri nets are defined in computer science terms as directed graphs whose 
nodes are transitions and places. Places are connected to transitions and 
transitions are connected to places by directed arcs. Places model conditions 
and transitions model the occurrence of an event. Inputs or arcs leading into 
a transition represent the precondition of the event. The arcs leading from a 
transition define its outputs or postconditions. Figure 2-1 represents the basic 


Petri net structure. 
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Figure 2-1 Basic Petri Net Structure 
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The circles of Figure 2-1 denote places, the bars are representative of 
transitions, the dots represent tokens, and the arrows represent the arcs of the 
graph. 

Petri net graphs represent the static state or condition of the system under 
analysis. In addition, Petri nets can also be used to analyze the dynamic 
properties that result from execution. Each place can contain tokens that 
model the dynamic properties of the system. Tokens are indicated by black 
dots inside of the places as in Figure 2-1. A transition cannot fire if all the 
tokens are not present. This then allows for simulation of the model so that 
it can be analyzed under different sets of conditions. Tokens are positioned 
and moved throughout the net by the firing of transitions. The transitions 
must be enabled in order to fire. A transition is enabled when all of the input 
places have a token in them. The number of arcs coming out of a transition 
represents the number of tokens that will be created when the transition fires. 
The transition fires by removing the enabling token from the input places and 
depositing the newly created token or tokens into the output places. It should 
be noted that there is no dependency between the number of input arcs 
required to enable a given transition and that transition’s number of output 


arcs. Figure 2-1 depicts a basic net with input tokens set to fire. 
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Figure 2-2 shows what has occurred after the transitions in Figure 2-1 
have fired. The token is placed into the next place corresponding to the 


number of input arcs that lead in. 
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Figure 2-2 Basic Petri Net Structures After Transitions Firing 


A Petri net execution can be viewed as a series of discrete events that 
can occur depending on the basic structure of the model being analyzed. This 
is an important concept since this leads to the idea that Petri nets can fire in 
a nondeterministic manner. If more then one transition is enabled the 


possibility exists that any one of those transitions may fire, with the one that 
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fires chosen nondeterministicly. The selection process can be purely random 
or driven by forces that are not included in the model. 

The nondeterministic actions of Petri nets matches well with events in 
real life. This is ideal since real-life events occur in no specific set pattern. 
Each occurrence can be a unique set of sequences. It is this fact that makes 
Petri nets suitable for concurrent system modeling. However, this does 
introduce considerable complexity into the analysis of the net. 

A way to reduce the complexity of the Petri net model is to consider 
that the firing of transitions 1s instantaneous or takes no time to fire. Since, 
time is a continuous variable, then, the probability of any two or more events 
happening simultaneously is zero [Ref. 17]. One other way to remove some 
of the nondeterministic behavior is to set up timing maximums and minimums 


for the transitions firing times. [Ref. 17] 


1. Petri Net Theory 
The formal definitions of Petri nets can be found in Peterson (1981). 
A Petri net is a five tuple relationship. It consists of a set of places P, a set 


of transitions T, an input function I, an output function O, and an initial 


marking O. [Ref. 17] 


2. Reachability 
If there is a possible transition between one place to another then 


we can say that the marking is immediately reachable. In other terms, 
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reachability is the possibility that an initial condition could lead to a given 
final condition. Reachability is a directed graphical representation of all the 
possible state sequences. The nodes represent states. The arcs between the 
nodes represent sets of transitions which sequentially go from one state to 
another. 

Petri net safety analysis find this advantageous because it uses 
reachability to determine if there is a possibility of a mishap state occurring. 
If a reachable unsafe state is discovered it can then be analyzed. The analyst 
must determine where a critical state is first encountered. With this 
information the error can be corrected by changing those conditions that led 


to that specific critical high risk state. [Ref. 17] 


G. COMBINING PETRI NETS AND FAULT TREE ANALYSIS 

Petri nets and fault tree analysis (FTA) have been recently used in 
conjunction with one another by Leveson and Stolzy, 1986 [Ref. 1]. They 
have developed analysis procedures to help in determining software safety 
requirements directly from the system under investigation. They have also 
included timing requirements, recoverability, and fault tolerance to help in 
determining failure detection and recovery procedures. 

To generate the entire reachability graph from Petri nets has been shown 


to be exponentially difficult and time consuming. However, by using Petri 
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nets for only key parts of a system the same type of backward analysis that 
is used in FTA can be used in the Petri net. The state information provided 
by a fault tree can also be used to reduce the exponential nature of the Petri 
net analysis. 

Timing can also be added to the Petri net model. This approach can 
help in determining the longest time required or worst case scenario required 
to complete execution. This information can then be incorporated into the 
design currently under development. 

The Petri net incorporates faults and failures into the model. The 
backward analysis helps uncover problem areas where critical hazards exist. 
The analyst can then take the most hazardous part of the system and correct 
it by using fault-tolerance and fail-safe mechanisms. If the hazard is too 
severe it may need to be eliminated. [Ref. 1] 

The above approach attempts to establish important properties of the 
system through a framework of examination instead of guesswork. It uses the 
advantages of timed Petri nets and the ability to model the flow of execution 
with likely fault tree failure scenarios. It may be particularly useful for 
software components. Since it is difficult to determine in a complex system 


which faults are the most likely to occur and the number of failures is often 


very large. |Ref. 1] 
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III. MODELING AND ANALYSIS METHODOLOG Y 


A. INTRODUCTION 

The majority of fleet training with air-to-ground missiles is conducted 
with live weapons. The real-time systems employed on different platforms 
throughout the Navy have required thorough safety inspections and analysis. 
The safety analysis of our system used the modeling power of Petri nets to 
trace the flow of events as the system executed. This was critical to 
analyzing the system considering that four computers were involved which 
were working concurrently. Three of the computers were recent upgrades to 
the aircraft. Relatively new interfaces were modeled and examined to 
determine if any new hazardous conditions existed. With this increased 
knowledge of the flow of information the unsafe states were identified. FTA 


was then used to analyze if the unsafe states could possibly harm the system. 


B. SYSTEM OPERATION 

The real-time system under analysis is the upgrade of the A-6E 
operational flight program (OFP 240). The improvements to the software are 
a continuing program controlled and directed by NWC China Lake. The 


upgrade, called OFP 250, will accomplish several tasks. It will combine 
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OFP 230, used for older A-6E versions, and OFP 240 which includes the 
1553 data bus and new computer hardware. OFP 250 will also add the 
capability to perform missile practice attacks with the aircraft master arm 
switch in the practice position. 

Live missiles will be required to interface with the system. The practice 
attack procedures will be identical to those required for a real missile attack. 
The practice attack software will also encompass all current A-6E air-to- 
ground missiles. 

Our analysis of the system was conducted on OFP 240. The evaluation 
examined the potential condition of an inadvertent release of a missile with 
the master arm set to practice and a live weapon aboard the aircraft. 

The A-6E, before the upgrade, used one central computer called the 4PI 
or Ballistic Computer Set (BCS) to control the entire system. The new 
configuration added three new computers along with the 1553 data bus. The 
central or key component of the new system is the Avionics Interface Unit 
(AIU). [Ref. 18] 

In addition to the AIU there are two other computers that need to be 
considered to understand some of the concurrent operations. These two 
computers are the Missile Switching Unit (MSU) and the Integrated Missile 


Panel (IMP). A system block diagram is provided in Figure 3-1 [Ref. 18]. 
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Discretes 





ewes System Block Diagram 

The concurrent operations of all the individual system components is 
very complex. We therefore started our analysis by using a timing diagram 
to study the sequential flow of execution for a live air-to-ground missile 
launch. 

The specific missile that we considered was the Harpoon. Harpoon was 
decided upon for a number of reasons. It was a proven weapon on the A-6E 
airframe and is representative of other air launched missiles. It was also the 


area in which most of our expertise and operator knowledge existed. 
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Using the timing diagram and a schematic of the signals for the 
input/output of the AIU, a simplified flow chart diagram was made. This 
enabled us to better understand some of the concurrent events in the system. 
The timing sequence was used to identify the signals from the Harpoon 
missile. The AIU diagram was then used to help match and map the signals 
that interfaced between the Harpoon and the hardware. Figure 3-2 is the 
resulting simplified block diagram of the interface between the Harpoon and 
AIU. 

The Harpoon weapon was somewhat unique considering that it had been 
implemented in older A-6E aircraft by using a 100-kHZ data channel. The 
100-kHZ data channel is still used with the 1553 data bus in new or upgraded 
versions of the aircraft. The analysis was forced to take this 100-kHZ bus 
into account in examining safety-critical events. It did not, however, effect 


our results. [Ref. 18] 


C. PROBLEM BEING ANALYZED 

Prior versions of OFP 240 did have some practice missile capabilities. 
These capabilities, however, were restricted to the left and right outboard 
stations. These stations are unable to be used by any type of weapon, either 
live or practice. The circuitry to the outboard stations exists, but there is no 


physical hardware that allows the weapon to be attached to the aircraft at 
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Figure 3-2 Simplified Block Diagram 


these stations. This limitation seriously degraded real-life training scenarios. 
The ability of the system to interface between live weapons and the 
computer for practice attacks had not been attempted previously. Realistic 
training prior to this upgrade could only be conducted by placing the master 
arm switch to on. This was not acceptable since this action caused the pilots 
release mechanism to be armed and functioning. 
In order to minimize the potential for an accident with a live weapon the 


master arm switch must be positioned to practice. If this is the case then the 
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system must be allowed to interface with the live missile. The practice 
missile attack will, therefore, require the aircrew to perform all the steps 
necessary to launch a real missile. The difference being that the missile will 
not receive the actual fire pulse. [Ref. 18] 

The portion of the problem that we began to focus on was after the 
communication link between a live Harpoon and the computer had been 
established. Could a missile inadvertently fire with the master arm set to 


practice during the practice attack? 


D. PETRI NET DESCRIPTION 

The Petri net was developed to gain an understanding of what went on 
with each individual signal during the firing sequence. Two nets were built, 
one for a live missile fire and one for a practice missile fire. Our goal was 
to examine the functionality of the nets to ensure that they behaved in the 
same manner as our actual knowledge of the system. 

The live fire net is represented in Figure 3-3. The area of main interest 
centered around the commit high signal. There are several prior preconditions 
that occur before the live fire can be initiated. Three of these signals occur 
in both of the nets. These signals are the internal priority, station priority 
output high, and the pilot control stick (PCS) input. The dashed lines in 


Figure 3-3 represent command abort conditions. 
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Figure 3-3 Live Fire Net 
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The input of the missile practice mode being false comes from the IMP. 
This is a safety check to ensure that the Operator has entered the correct type 
of attack, either live or practice, in the IMP. This check must correspond to 
the position of the master arm switch located on the armament control unit 
(ACU) and the entered type of attack in the IMP. 

The master arm/landing gear up (MA/LANGU) input is the last and most 
important signal that appears in the preconditions for the live fire net. This 
signal does not occur in the practice net. It must be set true or high and 
remain high throughout the entire firing sequence. If for any reason the 
signal goes low the firing sequence will be aborted. 

Once the commit high signal from the PCS goes high the AIU begins 
the launch sequence. The AIU responds by generating signals to the MSU 
and ACU. These two signals are produced concurrently. The signal to the 
MSU begins the interface with the actual Harpoon missile. This branch of the 
net does not occur in the practice fire net and is a significant and important 
difference between the two. 

The other portion of the fire signal is sent from the AIU to the ACU. 
When all preconditions are met, the ACU generates a firing pulse. This pulse 
is sent back to the AIU. The AIU then transfers the firing pulse to the 


pylons by way of a station missile release output signal and the weapon fires. 
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The practice fire net is presented in Figure 3-4. It is somewhat simpler 
considering that it does not rely on the MA/LANGU input. The initial 
difference is a new input is introduced from the BCS labelled master arm 
practice (MA PRAC). This signal is a new and separate signal to begin the 
sequence for a practice attack with live weapons. The MA PRAC input also 
has the same safety function implementation as in the IMP design from the 
live fire net. The IMP and master arm switch position on the ACU must be 
in agreement to work properly. 

Once the commit high preconditions have been met the practice fire net 
produces one signal versus the two found in the live fire net. The practice 
net does not enter the path to the MSU and the subsequent interface between 
the MSU and Harpoon. The Harpoon is thereby isolated by the practice fire 
procedures and no signals are received by the missile during the critical firing 
sequence. 

The system continues and as the preconditions of the net are met the 
AIU outputs the commit output high to the ACU. It will also output commit 
true to the IMP and set the internal function commit conditions to true. 
Finally, it will monitor the system for the ACU release signal from the BCS 
contingent on a good or bad launch. The BCS then provides all the realistic 
release parameters and signals to all other system components as if it were a 


real launch. This would include most error codes or abort procedures that 
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Figure 3-4 Practice Fire Net 


may occur during the release of the weapon. The MA/LANGU procedures 


would not be included because of their absence in the practice net. 


E. FAULT TREE ANALYSIS 

Building on the knowledge obtained from the Petri net modeling the fault 
tree analysis could begin. With the Petri net modeled and organized certain 
information was discovered to be vital. The knowledge of certain 
preconditions and paths in the net helped in assessing the fault tree analysis. 

The MA/LANGU was a condition that only existed in the live fire case. 
The live fire case also generated two signals after commit, one of which 
actually interfaces with the Harpoon. 

The practice fire case had a new input from the BCS that was 
MA/PRAC. This was critical to the practice event occurring and also caused 
the practice fire Petri net to be different than the live fire Petri net. The 
practice fire case did not interface with the Harpoon during the firing 
sequence. 

The overall problem areas in the system can be reduced because of the 
knowledge obtained from the Petri nets. In our specific case two scenarios 
were studied. The first was the case of a Harpoon firing with the master arm 


in practice with the commit occurring normally. The second condition or case 
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occurred if a Harpoon fired with the master arm in practice with no commit 
present. 

The first case is presented in Figure 3-5. The Harpoon fires with the 
master arm in practice. Discounting that a short circuit occurred in the 
master arm switch, two paths are explored. First to the left, the fire signals 
are sent from the AIU to the pylon. If this 1s the case, station missile release 
signals would have to be high and this could only occur if the master arm is 
in the on position. This is a contradiction to the initial loss event and 
therefore could not happen. 

The track of the MA/LANGU also continues down the tree and comes 
to the master arm contradiction in each of its paths. The contradiction event 
can be reached after the system has sent MA/LANGU to the AIU. If the 
MA/LANGU signal is accurate, then the master arm must be on. This is not 
the case and therefore causes a contradiction. 

Following the right hand path of the tree the first condition reached is 
that the missile is ready to fire. The ready to fire condition is followed by 
the MSL enable signal. Finally, if the signal to the MSU is present, the 
precondition for the event is that MA/LANGU must be true. The master arm 
IS in practice and therefore a contradiction is reached. 

The second scenario that was discussed was the occurrence of a missile 


firing without a commit present and the master arm in practice. The fault tree 
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Figure 3-5 Missile Fires With Commit 


for this scenario is represented in Figure 3-6. This tree also goes through 
station missile release signals from the AIU to the pylon. However, in order 
for this event to happen the commit high signal must be present. If this is 
the case then the PCS input must be present from the pilots stick for the 
commit to go high. The commit high signal for the initial loss event is not 
present. A contradiction is identified and the analysis need proceed no 


further. 


F. SUMMARY 

The analysis from the two scenarios shows that a Harpoon missile could 
not be fired inadvertently. There were enough safeguards and design 
techniques that ensured that a path to a live fire missile could not be reached 
in a practice attack. Two cases of an analysis, however, does not mean that 
there are not other problems areas that need to be investigated. Different 
missiles may have different signals that are required. However, with the 
addition of a separate output from the BCS to the AIU for practice attacks the 
design appears to enable safe practice attacks with live Harpoon missiles. 

The additional safeguards built into the IMP and ACU switch settings 
also help ensure safe operations of the system. These are excellent ways to 


go about insuring an inadvertent firing will not occur. 
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There are cases and scenarios in any system that can not be identified 
or thought of at the time of the design and implementation. Therefore, a 
methodology of putting the system through an analysis of some type to reduce 
the amount of unsafe states is advantageous. There will be failure scenarios 
that need to be continually identified and analyzed by experts to ensure the 
system continues to meet safety criteria. 

In examining the two specific cases we looked at the inadvertent release 
and accidental possibilities of a Harpoon firing. The interlocks in the design 


of the system block these events from occurring. 
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IV. RESULTS AND CONCLUSIONS 


A. REVIEW 

The software safety analysis of a concurrent system in a multiple and 
distinct CPU environment is a complex one. This problem is certain to 
become more complex and complicated in the near future. Systems under 
consideration, such as the A-12 aircraft, the Advanced Tactical Fighter (ATP), 
and some portion of space defense will have large numbers of interacting 
subsystems. 

These systems will also control and be responsible for more and more 
safety critical functions. The environment in which they operate will also be 
more demanding. Design faults and problems must be determined at earlier 
points in the software development cycle. Increasing costs and complexities 
are just two reasons answers must be found. New methodologies need to be 
discovered and perfected to insure that sophisticated hardware and software 
does not cause catastrophic incidents and accidents. 

This thesis has investigated (proposed) a method for using the power of 
Petri nets to model concurrent systems in a multiple CPU environment. The 
information obtained from the modeling of the net will help reduce the 


number of cases that need to be analyzed. With the knowledge of the system 
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well understood examining the reduced set of loss events can occur with fault 
tree analysis. FTA can then look at each individual loss event and decide on 
the feasibility of the event actually occurring. 

The sample system we chose is a proposed upgrade to an already 
existing operational flight program (OFP 240) for the A-6E Grumman aircraft. 
The modeling and safety analysis for this system examined a real-time system 
currently in the United States Navy inventory. 

The analysis initially used Petri net modeling to begin to break down and 
organize complex interactions of the system. Using the methodologies of Petri 
nets all aspects of the system functionality were analyzed, including the 
different internal interfaces to other computers. The analysis then moved into 
a constructed block diagram to allow for an examination of individual 
components and a thorough study of component operation, control flow, and 
system interfaces. 

The model centered around the AIU that is the heart of the new system. 
The Petri net modeling technique was used to understand the concurrent 
aspects of the AIU with the Harpoon air-to-ground weapon. The Harpoon 
was used since it was representative of ie weapons that could interface 
with the AIU. 

Key signals and information routes were determined after the live fire 


and practice fire nets were modeled. Differences between the two nets were 
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identified. This gave the analyst a sense of where problems could occur in 
the firing sequence. 

Once the live and practice fire nets were understood the analysis moved 
into FTA. The nets allow the analyst to ascertain the loss event scenarios that 
required the most attention. The analysis of these loss events, however, is 
time consuming. Automatic tools are being developed to assist in this area 
of analysis and need to be developed further. 

In our scenario two loss events were analyzed. The analysis begins by 
describing the loss event and follows the standard technique of FTA. The 
loss event in each case was the root of the tree. The events or nodes below 
were the necessary preconditions that were needed for the hazard to occur. 
It was shown in each case that there were many places in which a 
contradiction was identified. Therefore, it was determined that neither loss 
event could occur. There were sufficient safeguards in the design that 


prohibited the inadvertent release of a Harpoon in a practice attack. 


B. RECOMMENDATIONS 

We have demonstrated the feasibility of applying Petri net modeling to 
a complex concurrent problem of software safety analysis. We then used this 
information to create specific fault tree applications. We did not design a 


formal model of these conditions. 
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The methodologies presented are only a preliminary step in creating a 
complete set of rules to identify when Petri nets and fault tree analysis can 
be used. Leveson and Stolzy, for example, have used a methodology of 
simulating system faults within a Petri net model. Their techniques added 
fault transitions to the net to cause unintended events or prevented intended 
events from occurring [Ref. 1]. 

Petri nets are excellent for modeling the concurrent actions of a system. 
Petri nets are also strongly suited for timing constraints. Systems that proceed 
in parallel and need real-time synchronization benefit from Petri net modeling. 
FTA can then be used for logical event analysis and specific problem solving 
techniques. 

Petri nets, however, are difficult and time consuming to analyze. In 
order to analyze a complex concurrent system automatic tools are needed. 
The reachability graphs must be generated automatically by tools. Any valid 
technique to reduce the time and enormous number of paths in a problem will 
be essential for the future. 

In a complex software system consideration needs to be given to which 
techniques will help provide the best possible support for analyzing the 
system. Problems will occur during the design of a complex system. Most 
of these problems will be detected and corrected. There must, however, be 


techniques to uncover hidden problems. The application of Petri nets and 


fault tree analysis techniques can make a difference in building and designing 
better systems. 

In a system with a complex set of concurrent operations, Petri net 
methods should be used first to drive the fault tree analysis. The concurrent 
operations are better suited to be analyzed by Petri net models initially. Once 
the complex system is understood problem areas can be better analyzed. FTA 
can then be used where experts think major problems are likely to occur. 

In a situation or system where events in a fault tree depend on specific 
concurrent states being reached, fault tree methods should drive the analysis. 
Fault tree analysis is better suited for analyzing specific events. Petri nets 
can be then used to model the particular concurrent events in the actual tree. 
Deciding on which approach to use is a function of the system under analysis. 

One of the major concerns with Petri net methods is the difficulty in 
constructing graphs to model the actual system. This 1s a complex task and 
is an area that is currently undergoing major research initiatives. 

Integrated tools are one approach that is being investigated to reduce the 
time and complexities of Petri net analysis. We recommend that this thrust 
should also include tools that support not only Petri nets or fault tree analysis 
but both. The information that is obtained from these two techniques is 


certainly vital to overall system performance. 
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These tools, once designed, should be integrated. The information 
obtained in a Petri net model may also be able to be used by a fault tree 
analysis. Questions arise with regards to what portions of the information in 
the analysis are common to both techniques. Work in the field of Petri nets 
and FTA must be done on the inter-relationships between these two 
techniques. Petri nets are versatile enough to enable accurate modeling of 
many concurrent system aspects. They capture the features of system 
interfaces and paths of execution and are dynamic assets. 

Fault trees are essentially a static analysis. They can, however, detect 
software logic errors and multiple failure sequences that may have essential 
information that can be shared with Petri net analysis. 

Other concurrent modeling techniques also need to be explored. One 
example is communicating finite state machines with shared variables, a 
technique that allows for direct representation of race conditions. Race 
conditions, where two processes write to the same location simultaneously, 
have been shown to contribute to some past mishaps. 

We have introduced a technique to combine Petri nets and fault tree 
analysis. These combined techniques have the possibility to help in 
determining the future of safety analysis. Answers need to be found to ensure 
that critical software components can be Judged to be safe. Software errors, 


including simple oversights, must not be the cause of accidents or Incidents 
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once the software is introduced for public use. Therefore, we strongly 
encourage further research in this area and other areas introduced in this 


thesis. 
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Failure - 


Fail-Safe System - 


Hazard - 


Loss Event - 


Reliability - 


Safety - 


Safety Failure/Mishap- 


Safe System - 


Software Error - 


APPENDIX A 


The inability of a system or system component to 
perform a required function within specified limits. A 
software failure occurs when the failure is due to a 
software fault. 


A system which limits the amount of damage caused 
by a fault. No attempt is made to satisfy the 
functional specifications except where necessary to 
ensure safety. 


A condition with the potential for causing loss of life 
or property. 


A hazard at the top level of a fault tree that, if the 
event occurred, could cause a mishap. 


The probability that a system, including all hardware 
and software subsystems, will perform a required task 
or mission for a specified time in a specified 
environment. 


The ability of the system to avoid safety failures. 


A failure which leads to casualties or serious 
consequences. A serious consequence ıs any undesired 
event which the designer considers to be as or more 
important than the correct (reliable) operation of the 
system. 


One which prevents unsafe states from causing safety 
failures. 


A human action or inaction (during development or 


maintenance) which results in software containing a 
fault. 
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Software Fault - A manifestation of an error in software. A fault, if 
encountered, may cause a failure. 


Software Safety - The ability of the software system to avoid safety 
failures caused by software errors. 


Unsafe State - A state from which there are circumstances where 
further processing will lead to a safety failure or 
hazard. 
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APPENDIX B 


The rectangle indicates an event to be analyzed further. 


The circle indicates a basic fault event or primary 
failure of a component. It requires no further 
development, and its probability of occurrence is 
derived from the generic rate of the part. 


The house ıs used for events which normally occur ın 
the system. It represents the continued operation of the 
component, and its probability is the reliability of the 
part. 


Ihe diamond ıs used for non-primal events which are 
not developed further for lack of information or 
Insufficient consequence. 


The oval is used to indicate a condition. It defines the 
state of the system that permits a fault sequence to 
occur. It may be normal or result from failures. 


The AND gate serves to indicate that all input events 
are required ın order to cause the output event. 


The OR gate indicates that one or more of the input 
events are required to produce the gated events. 


50 


10. 


JN. 


LIST OF REFERENCES 


Leveson, N. G., and Stolzy, J. L., "Safety Analysis Using Petri Nets", 
IEEE Transactions on Software Engineering, vol. SE-13, no. 3, March 
1987. 


Griggs, J. G., "A Method of Software Safety Analysis", Proceedings 
of the Safety Conference (Denver, CO), vol. 1, part 1, System Safety 
Soc., Newport Beach, CA, pp. HI-D-1 to HI-D-18, 1981. 


Ericson, C. A., "Software and System Safety", Proceedings of the Sth 
International System Safety Conference (Denver, CO), vol. 1, part 1, 
System Safety Society, Newport Beach, CA, pp. III-B-1 to IM-B-1, 1981. 


Leveson, N. G., “Software Safety: Why, What, and How", Computing 
Surveys, vol. 18 no. 2, (June 1986), pp. 125-163, 1986. 


Gloss, D. S., and Wardle, M. G., Introduction to Safety Engineering, 
Wiley, NY, 1984. 


Konakovsky, R., "Safety Evaluation of Computer Hardware and 
Software’, Proceedings of COMPSAC '78, IEEE, NY, pp. 559-564, 1978. 


Roland, H. E., and Moriarity, B., System Safety Engineering and 
Management, Wiley, NY, 1983. 


Leveson, N. G., and Harvey, P. R., "Analyzing Software Safety", IEEE 
Transaction Software Engineering, SE-9, 5(September), pp. 569-579, 
1983. 


"Computer Dictionary”, IEEE Computer Society Standards Committee, 
Martin Weik, ed., IEEE Computer Society, 1979. 


Hammer, W., Handbook of System and Product Safety, Prentice-Hall, 
Inc., 1972. 


University of California, Irvine, Computer Science Technical Report, 


"Applying Existing Safety Design Techniques to Software Safety”, by 
Jeffery C. Thomas, and Nancy G. Leveson, September, 1981. 


51 


A 


l. 


14. 


15. 


16. 


I 


18. 


Harvey, Peter Randll, "Fault Tree Analysis of Software”, M. S. Thesis, 
University of California, Irvine, CA, 1982. 


Vesely, W. E., Goldberg, F. F., Roberts, N. H., and Haasl, D. F., Fault 
Tree Handbook, NURREG-0492, U.S. Nuclear Regulatory Commission, 
January, 1981. 


Cha, Stephen S., Leveson Nancy G., and Shimeall, Timothy J., “Fault 
Tree Analysis Applied to Ada," Proceedings of the Tenth International 
Conference on Software Engineering, Singapore, 1988. 


Software Safety Handbook (Draft), H.Q. AFISC/SESD, Norton Air Force 
Base, CA, March, 1984. 


Petri, C., Kommunikation mit Automaten, Ph.D. dissertation, University 
of Bonn, Bonn, West Germany, 1962. 


Peterson, J. L., Petri Net Theory and the Modeling of Systems, Prentice- 
Hall, Englewood Cliffs, NJ, 1981. 


MIL-STD-1553B (DOD), Specification Control, Missile C-11524/A (AIU), 
Program Performance Specification (PPS) for A-250, NWC-2478-250 
Revision C, Naval Weapons Center, China Lake, CA, 1 June 1989. 


52 


BIBLIOGRAPHY 


Connolly, Brain, “Software Safety Goal Verification Using Fault Tree 
Techniques: A Critically HI Patient Monitor Example”, Proceedings of IEEE 
Compass '89, Gaithersburg, MD, pp. 18-29, 19-23 June 1989. 


Leveson, N. G., and Stolzy, J. L., "Using Fault Trees to Find Design Errors 
in Real Time Software”, AJAA 21st Aerospace Science Meeting, Reno, NV, 
January 10-13, 1983. 


McKinlay, Archibald, "Software Safety Handbook", Proceedings of IEEE 
Compass ’89, Gaithersburg, MD, pp. 14-19, 19-23 June 1989. 


Neumann, Peter G., “The Computer-Related Risk of the Year: Misplaced 
Trust in Computer Systems", Proceedings of IEEE Compass '89, Gaithersburg, 
MD, pp. 9-13, 19-23 June 1989. 


A-6E Operational Flight Program E 250, Mini-PPS, Revision B, Naval 
Weapons Center, China Lake, CA, 93555, 23 June 1989. 


A-6E 4 PI Developmental Flight Program, E 544.06, Math Flows Draft, Naval 
Weapons Center, China Lake, CA, 93555, 17 May 1989. 


MIL-STD-1553B (DOD), Specification Indicator, Display/Control ID-2369/A 
(IMP), Program Performance Specification (PPS) for 1-250, Naval Weapons 
Center, China Lake, CA, 93555, 1 June 1989. 


MIL-STD-1679 (DOD), Control Missile C-11524/A (AIU) and Ballistics 
Computer Set, CP-1391/ASQ-155A (BCS), Interface Design Specification 
(IDS), NWC-2482-250, Revision A, Naval Weapons Center, China Lake, CA, 
93555, 1 August 1989. 


University of California Irvine, Computer Science Technical Report 
NO. 86-14, Building Safe Software, by Nancy G. Leveson, February, 1986. 


53 


INITIAL DISTRIBUTION LIST 


Defense Technical Information Center 
Cameron Station 
Alexandria, Virginia 22304-6145 


Library, Code 0142 
Naval Postgraduate School 
Monterey, California 93943-5002 


Department Chairman, Code 52 
Department of Computer Science 
Naval Postgraduate School 
Monterey, California 93943-5000 


Professor Timothy J. Shimeall, Code 52Sm 
Computer Science Department 

Naval Postgraduate School 

Monterey, California 93943-5000 


Major Michael L. Nelson, USAF, Code 52Ne 
Computer Science Department 


Naval Postgraduate School 
Monterey, California 93943-5000 


Mr. Bob F. Westbrook (Code 31) 
Naval Weapons Center 
China Lake, California 93555 


Mr. Werner Hueber (Code 3104) 
Naval Weapons Center 
China Lake, California 93555 


LCDR Richard J. McGraw, Jr., USN 


165 G Ave 
Coronado, California 92118 


54 


10 































































CR RN SENOS La 
de a ny preter 4 ¿E Nue 
LEUTEN I T io SUS 






E aN PTET E or 
oo ate PESAS A 
ER ab A ANA Ehe EME 


Ze taka l AA YAN ee) ae ae à » 
ARTES PR ; thesM 18849 Wa Dr AR MI A x he tone a 
INCA A Br O i i f 















































































































































































































































































| O ETT EE Tr it CS S E CUA ET DEE N wur z - ou S : f j 
EEE ESMAS H SEE NEN Petri Net and Fault Tree Ans comb ES NI W OUE | : 
KE AA AAS PTOS PO PAY ARRE AEREO TON Año A Wan ; AT y . AAA Er Soe : A 5 l ñ 
main uku) As. rtt yep panes AA ARA VAN raf Me di Mo 7 E SMA | ETET I ' I ' | 1 | A al G ' 9 one ST , FU 
Tee PT Te A aaa ew Peer rine Pee arene E py Bit Schl ) bed | | III | | | RL pi ) > A aes es y" n 
an LD AT AIM AN CN TS ; + Y OT ñ O ur WETE r (OU; A n 
DATE BEST EINE ES BES ET EEE hat eee m ANE W PO AAA PST ach, Auer di: PARA AO Ah - N n Li n 7 
ahi tao) ceed ad ell ere bi La LAP ka ee to ee ki e ai laye dise W ae I EE Te SL etd ce OL a E | | 1 L MA Wi N CO W DÈ A E 
Š a ae A A š AEDO ES ah A AI AOS OI E ESTA g ath | TA š A NE A a e ` K 
A Pl a MAL) e ne e. En ir urn. ue Pry at EL ARE TY ES OE ke į Ya ETE RO T «o ripu y E 
eee eT ae Bri ay «pod Pd SAT N LATE TEN IATA ERA ASA :0 L AE ANE a r Se ' n G 
A oo a AREAS Zen A OR TITO ES La E l | | |} | | | | Patti o ds O F š A; 
Cro diari EN ve CE AL Tenan IÓ LAN: PA TS LE SFR + | : kan aka i a) li EMI ' oa "a L E i 
Reh RR MA Ped all KOK | ai n. Ad PEN A r dics R a A AE, $ A r f 
KEN are nh PA A REITER LN PEI A ERY [ieee yrs ; Sd - ir., * s 
k'a fon VO ali cti a. A! fa u ¡e Kin k N O IT BE AI yä kat y l AJ N d e s 
a td nad MER ee de E ; AIR nA A EN FE T S, n NEO ` Jos u z >) ` 
Re tren ER Pat REAL TO UH anne een AMAS A E da p f e ' 4 s 
er ayers ae 5 IA TO) Actas at tenis Ca DAOU Se AA ` 2 L Fa Tu va : DUDLEY KN OX LIBRARY K w Kr ba ] K 
bread pata ah PA Cort ri aÑo Ka HES Pav eee. Te Te Peter St tet Da š Sn a IH y. "K ms Fi : Ad 4 a 
Bayo da Fahr sch L ANA en cot gee er A RS Md RAN, Figi ya hak mes tok Hey a E zen 
Ty ob A OS Ne A O EEE EA a MERETE z n A UN ` AN ay aY n f 
kan: ra A IN ON EN SS TT vane MPAA EE P aY K aS: bs > ? LA A: Tan Ar: OT E 
Sa or A PO TS ree rye Pa MAY A n «a apa fòm a" "p3 = ea. PWS TORS yuo Ax AGO A F A VACA pk ha ` WP TY: T 1 y ' WE t J ’ + 2 P a ; p pe : St A a 
ea ak AAA Ap KA En Sa ee Gi kn pe ustna Ki TET SEA Nè A Y TEMA AT AUN RARO A in E OT ASE E E AR MÈ PA Loco e R A 
KI AN PSN IN Lemoa PA OA MEN A bè Ga fe ATM AA A das Tn A ie w ke quid CN EAS = i t AT E i a, Er ae ne w. AO O j 
PT NES Hy A vun arg é; shaa: PAAS BO UE pis AN ES rise ase £ sss HE DU k 1, ka A KAY A aa Wi e A rg : Ë x i 
A oat AN CAR A A AR A) a ado Bas A : fr Br PA SEEN er Eis eR ms i n tan A TI i A U er 
ANNI A ASS aeg ROAD ATA IO : ARA the Mb be ee AI ET + Li e W UNU SK. ee à t T ki, A ges ME Br x A : A 
baga La inèd Ga A he, Es e STE AMA VES ù LI = Ln NAAA O n 8 ¿rd POUW. we oe a se Ar TA « ‘A Li 
Fen TA we m e DA COSA He NS ERA e AO) ie UA ONE y n š 2 
ER P REN A WRITE m AA: RIN MN DE RU ATS SE AA AA | ELITE A a 
ki Gent ase Pea REE, ¡ema Pd Oa ES ES A Rdn rte 3 FE A ho PA rar TA area a 
eS FAA RER) DR EA poh tas BT RL ER er ary L Yi PI GIA A A A AN Elie a pr ERA Y 2 
oe ale pe sit tote er EL ee ONQOY TIEN ' En: DEN AS CET O ES En 
Da mè LAA ps pin en ao DOTIS ER TE a E) TA INT YE id ee a. re ASA ` ' N - 
wa CO TA sèk Kann RAE IE Kou ON i i : 
ee un aa erde A A EA 3 PAY YE p AT PERE W Li 2 Fr 
+ EAS AAA Hr exer nT ISA P ray PRIME ree Td £ ase Diy E ee St yD ore uN fe A A x 
EIER PIE TRIER BOT ER TUN SEHE TE a, E TE Él S AA ae ki Be 
sen NEON DÈ Ma Yi EN CTS TH 1a d a A. oe Y ES 7 So ` 
Ba res nee PATATA ETA A O IE A RS AY) deta da I La Bee IN re) E 
e ay ka ee CET TE AN W de En E] TR A Ory a) tee RAN E E E IS Fi is ° 
AED E yn Fe st Oy NE a PRA ARA acond PAI SO y TS AE NC Y G NË A j 
o ONT art ATTE Pal EEE mo ee MR | ee EAT NT ETAT m ve Arde te Ns EL AA e ts YN AY ZON PWO a pa 
Ewa A IIA AS ined AA AA A A Ea fat EI TA "Ë "i ES ate a Mas sea as en ra Bere . 
ATÈ Ayo BE A aa EENE Y ATE TA TAS ci ak Fa. KASE CEN AAA A SI pas ing : 
Men Ue Ry + A e Are SQ RO ay e E] re) a ray ror be Leeds rere YE Mo: $ yy: 2 AUS AOU] toos 
nc A ASA TEN A Smokes E LN at 5 Jan y Mi Ne a AERTAL e EEG TAYE E pn “ n ae e L 
apy Be bet PET PON A de Datan bod Riss ste lpe yt Ole os ib beton ar AN gn nó A y f ç A : 
= te Layla A oder ee j ER + av. ed foes Ware ol yo bird Pag w eh. LE De Al fue A) Ca i sy AT 
Enpi AZI 0 # rete PATA ATA RES CITA 7 et BARA A or A A 
ka ” E: 





NS dak Pta bln a 
Ç Ae ee A 
RE: ae Kara SR, 
X $e ae 
ER, pa Fa nn pad A ALA 
TEN A On > deyètad ' 
PAJ FR eh) 2 


ai L A py Pa Y? PN PS At e HEN RAN 
f ER ia yates PE e er ar? Ti Oat ta a IIA ÓN 
Ant A kin SENT NEN N ER ER A Te dr de an ki 
BSH IE E TEN kè AN pe: ASIR ALE PNT, pe et TI TAS 
ESE AS aa at ata RE ee a Re we hal! ES zii A A er EC N 
“í 


rb PR NZ 
patin ena DABA ns, rf Peay, 

























`.) es es E n h 5 
NT AO LYS S FAS TES, 



















PART di pad Kè Me LE FWA KO ZON OO a 
E LED Tr fete bean: DSH Re KA kota IA AN NA re Kira iin A WER TS E AE ATT WE $ T RT n 
kaa PETA bes is aE Fgh heen eit kot ai á AS ha at i UA LICH (APRA pi etat KR A SIS a zielt F ni LE KL E 
er + a (Siew a Fees T KONSA TE che ar rk fa] ú a a f z. 
1 ' ` 





Te Pee | TAO Pe way a 
Ade 
Fi AN Fi Sa I SSS pub Ath 
AT PAS Ra 4 

TON 
nt hier ul A i Ni ro 





yi Y LTW DA Yi 
IN ad AKAN A Eo 
ns dG) “A RE Aw 
te Take HITS “a diz ekò «a 

KOMAN A CAS 





m3 RICH a a a 


er TN u EN :. 
Fl o An Py š A. porate 


ou 

ru STN year 

Indio di ATA 
A EE 

dl CEN Lina did PATO V ra OS 


kte eka aa; er f 

AS o TR sees a 

da Aa ses: SÈ poe SAS LÈ 
a 











q 
Ak 





Ou a n 





kw 
guans.e De ar Mesa yr ie haria PES Sta 
FP O Be 7 AOS RIA 






















mare AMAS ak mij “dpi m MÉ F Min Mk el TOKE T4 by E 
AS EPA AA A Aa Se CNS is ate Ga MO ee the 



















































ads pee n 
x a ty ae ed tae Be k DR ee TH NER N eh ps 
a ae rare PEREA NR NR AO IA PI VIA A A ETR RETE NO GO MT DD. 4 ga ti 
MO oes Chagas d a AA FREE LA BEER YE b yes Ad A NER Yo FAM a . R FM OSA AA E Sr Lats Ea 
ln a oe A sigs A TW Pr rate ASC eed OY AOP Con ae ed SR a MAN NI y LR O A E A A ; 
a A E 4 LA 1, ka n Li 
ELLE š Du TE REN ET) aS K pg mn; Toe dete e E AA AIN AA PA TER š 
O Dit AO ES ETET ange Hy By arp et r ‘Fe v 
PYAS A ATA es rp oti ah TW e tiki, mare Fi FATEVI, AS “w is Dr di 
PARANA A tek ire AMOR itè wg ETT VS DOE 
AI AR Pr nz a A A ARAS MELO A hit f. ot y 
A IS A Y AA RA SE O a 
EEA ie ith) 


akt YA ia? } 
bw ek ARE u REA AA FERN ty 
AREAS eN $ i 

ET AT W14 moi A SD 





an OU ES A 
Rz l ne em 










shes 
Rie 





Z, “id REES SFR 
A ARAS 
Dit a a vor aA! ee 
PARA Seog 




















“e 2 Eu wee : 
ER a aki 
y 















A yA js Er “| # KAT fa EAT NEN n ero. K ge'n y ES ei a "te 
Seep wie es Et Pines AAA i ‘ A Fi; Pak aa NON Lèd Fiske ay ple AT VA RE: 
EHE EA Be of a VEN r'à M Ak; Š "Y Cha tes. a y TM A TE LO ALS 
a voit + hr AO Ye payo ne YO 4 













N pon ko un PROS FALTEN 
ES CATE ey a 






















"rè is 
ed RR Si ER EU. a 











































































Fey kt ITA ye O y aS Pets i 
Si eats. + hae POI HS es ie ka sh, art Ba HR Be shape TS a TI TOU NAL BON 
LE ase a ea sie rote ary Pe erie Be st me LTU TRTA A SES Y, SEAT] 
E ek sae tat er er a Ver SNS E yee SEAS IA AE ak it 
ise A yd = ALE e vwe re DIS, Fa ar sk .. RENE kaa Fi ae re An 
ar ae ER “a HI ER BE E Pers RR A ka RE LETS UE 
“y: ae ES E YA AR SU POTS NAS A PTR, BG TAREA UN MAT An rL APA A se a 
CANTOS io ET pare PASS ray prac) Y ` d a Ko LAA E 7 “ie í 
BAN kanè an TEN A aE atau we AO A Mt ; di Pi rae 
E ad. Mita pla AW Pay $ TERET EETU AA E T T Qe d kan VL E 




























n pro. 


A e EE 
pi 


ip 







ESAS] O zi Kod et PEN At ie 
direis he eu Che it ICG ES LR rd 
Y i AWAY L kU uy `... aa IS Er 
Bir * ete w pen ea 
BE ab Ai AT AT ki 
ass ee td, é eee A A 
























Li 
MAT, UT ST Y 
ATA 
te 
Runen ra 













EHRT EEE NH ER ae 4 

PERRA e AE tits PEYI 
n oa 57 ee y 

éx} 






F 
TA LI) 
Ed ee 







f nn 


































































































































































































































































































pa ee 
A nate In Ed t A SIA A AD TAS ARIEL a AE lak. 
HEN Di n miata Pareles: a SORE Fe Pa RA SA PEETI the thei nd ITE MA * Dan, SI” Alfa JE ee 
AT HEN Mt WA A Pla eet ara ON PWEN AA e tata LA da „ee Weg gt gee fy fF nyè 
cha a AY an a PEGO A SEE ih AA AA ON ki MAN PA W AA CA a dd 
Ed at DITA, `Ë vi Se Sareea tes ry oe EEE ETEL W erie tin E 
Er Ar AR, EN ERS Rn LS E UTE } g ES LA a A kao 
¿AI A EI A O AA RON ak'a Yoin v1 ADA A OU e 
W Ye Jo ke NA. SEA AVA ott ¡La E a ety (kònè ere ka AA IT EA IA IOMA ye 
AE TO ENT e ct eget ak yòd ne + a Fox Rede TAK. la L TRY SIN f E O 
na O aM TO Te of PEN Era eae fiw j EIA AR AT A AS Pan; 
Ta 5 PEA ee N A IA as SOLEA Wile ane TAO O 
2555 ap ! : SWISS SEN ST ATA 
BER ec PAPA RAI - ; 
Ea muat 3 UNE, RT He “L GAN he “AP 
a Na, . vr rg“ H 5 4 
es RN e n Z: Br n z er mont paste tise ST ” KE? ae male ref! 
ETE REP Pa TEL IE SE SIE ER Pa teen yarn PTI SIC EN | 
RUF e Eii ae PEE SH PR NG Fi ASÍ 4 ER z af ERRE O Hr Ku q 4 
i rt a VIA SAIS Kiki y lo e Is po UND chi ie sa 
FAR An E EA n IA L ky Ba usa PR IAS Mi y 
Fa 5i PEINTES ee Ne kata Fa enn ii ATA TI ETIK So b 
AAA Te AAA A NY AO “an 
Ve e A =k baka Y d Sk SA. tA E ATAN it PAS + ‘eit hot 
e e de SAT YAL dl Mai wè AN DERART, END, 
Ka apa pHs AA AN Py x are An atq ; a at! 
RE N ati pa Fur es RT Ghi ps KAS 
ER rg y NN PA ah ae E NS 444; aaa! WE $141 44) "re et at 
h vi ny EA a Y. dwa”. e A Wo 
AER EPEE A we BR ee Bach e PAT re RRA = sel yan A ate 
[439414 A O PERS PAI ANL MA TTY Atak kot Wi bi ATA e $ II n 
EN EURE Ei ates rth | da AE $o U A PTAS L AN TAT a > 
sre ANA RA ada ER YAN UN % Put O . ? PRT otk Yt ay at on ar DER RES do 
BES a REN AN A EN de UE las e P O A Se Rs pie arte! > +h 
ei rept v. ut Cat Pus, aa pa Krasch BEER di. de! PEO Dr Er I 
SEEN FAN a OLA TE vi Lé SI aan sca ar ERTL n ETA 
Card 4 ing apy od pisan That E UA nt $s ON LAP ALL ki A JOU 
Pe E ol i a dre late ye r 
EEE ES AAA: wir U hi PEAD RA 
2e RER ah Evan? izi eit A y AR a A de ; 4 En 
OED Horg PVE AT TAL i Pia ñ 
TNT ie RR KRR RTS) 7 ar sit, 
lie LEE RL ter Vote i 0 a `: 
Ja ae RE LE, AFET Iw Fa An 
> TINI AAA P i àl n A] 
LUA rat eet) A klike SZ = - ESO TES Fr a TEZ 
te 4 aa FA PEAT VEN Ra oes e Es PE AT ES ETAR AN EY EE WI De LIZA TO n = 
AAA AO sevi sa LAT AA livè W ke. AN Ni MAN ] wit UNNA a £ gts 
ih far Foe oe AS Pa Et as PPS: er GAYA e eye Ais Narur ki y y 
rs ALPES "ATs ai A ER - ` i TO 2 n 
ra ey RAS vo A pa on RE HALTEN ELLE KA ATA LA a > e 










Part O. AA A ET AT: 
x Ver ; AV 


rid lta 















k RI: Bye F 
a A RER he 
à ia sote a Ye $s: IRA Ups: ad KERNE Fr 
Al Kr oye a 7 a Bitte at areal AA 
I £ rt 5 
rs AA Fe 7405-8. Sat Lee kk e krik UHR She kd i fi 































































er rida ity: eu a IÓ N wt r“ bin os b 

STS ENE BET are HL TER SC Pa MA EEIE AE SAREN ate Pdo de rik 

JA ea We Be, EN BR IL FIR FETT Nein y Wr: Pri ra SL PAN pi D 

Pa aa dh reg ae ad A est EIN O III NTE CN IIA Ae ia ED FR SE 

Seht ri PARE POLE Eg) TF oe lat. 2, x Ute Atay Pater OS iis ata 4. sl 

ss AN saar RE Vi 
mA er Ete ZOT ¥ = u RR y ER 


Aa ei ji EA | ; ASS 
ENDEN, Pe ANA h 33 š on ati BANN 

mi Wi ia ke EI NS te, ats A ale er 2 jw H A A SS mire 
A A e rra el s tet PEN c u Fi (Ati ki Te TF OL A a 




















A E) 










p E lend ier wala 










































i MAN PUL be ya D x DAL 
RT 2 IA! e ARTO AZA PI L 
m A BAN EOS Bra ta AO RN Er EH He (344 AWAY ea Sut 4 4 pasca 
NA Reh AE PA ait A AER HAP A Late y EI m A TE Pa) ATEO EPIST 
ELAS ee AAA E ta AT SP pide AYI AT u Je 








rar eh 
Da ea ke AAA E REN kii 


FE ) 
94/45. E A A a A wre, 
™ 

ra 

















































4 
TAT a KO ke BS BA PÈ L MALE SEAL Gh ae iver EEO LOA ALL 
i fa ASA 05 HAH PAN PANA eta PR AH ra 
Ti PPIH ES Fans Epa he AA Ne tat ve ) s FH BEG) PES 484 Y A Ss 
Vi me TS 20) ki y a RN 
PTI Yin Petit) 4 a kr PER, TER 
DA Ly PETERE A š ¡ade mitan PON TAO 
xy ER TE EPES CAPELA ETET 
IS N qu > NA, AI a eh 





AAR DAN 
a lé 







cong tat AA ve 











r ën ELSA ZA e Ki EE sya Pent 


u a 










ke 
syen 























MAL eats air ENT A G at ae kip Ak “ra 
e tk YAYA pede ean o nan Be oe E RIESTER RE Der you pe 
OK Are Ki Koh MAYI ra ieee ak AE LEZ A Ss) Kas ki Jik LI wh A 
yon ka EIER PATÉ A e jon POUR y ay we oat ei ore TEUS bei k: ray Brik 
it alga MI KA MO ZAN HU TOTS PON ki 
tip AA Erie ER A ANGUR AE AL irae 
cans di BUN: aa et A SAA E 


MAT AC 





x TAO ET tak k: A 
E en BR 












































































ap i a TAN Y 
A AM p'ap Va ki ua “pak ©, % A AS 
na pin Sa AS aa CHA da de SA ae 
ER N Aa Y Gi BR ERBEN: qe AQ, Wara 
Kar: m RE Ba dò un ve Ee Ye | AAA 
er en TAI O Ainara Md Mi Bar WANES 2 
etd Ca A A Angel iss vz OS j pe ts A ATA pe La ja de LIS TE athe tie Pe E r 
A Casi hs ah A or Om Gs aa LE ao hd Pe LW ASA AS Zo Mè HRS Ay TES a te ri te Sh A Te Lod ES 
WET Oth oe m'a SUR mw ve each Ja a kip A Li ETAN q AA a RAR PAI IA Aka A 
DE mese: DATO la MA AEB. ie piki kin! HET: don wi KALO TAZA a de IL hie 
LAP A eae, fa ap TESSA AO hati N A NICE yea y a ale FT Ai 2 
pa el, gave ab ets N PLANE AEG MAA Pee DS b; OTA + daa «ki "ir, W. TUT O vs fa L.» A A ké 


L Pe Gwd ta del ee Ca tee A A AA a S Cole LEER NEE ENDE KOU paye REA eT LAT Far, 









ira 
MA 
















TN A AS N aes 



































































Aida mi “A eN 3 Mn ER AO ke ED, Ye th š $ 9 
Pitted a ka WA ai a RY icin x rt Meats tp MINÈ a aya oy he n Sou, «AAS ki es E IA 
Harn EN ERS RT ee Dre Re RR SEAN L AR 
ena A EA Ad SIMPY E Mr PAL SÓ ta ez VEN A Bar ap HART ia ETT rely 
a Ad "5 Bet eas k AAA SEZA TA al CA, (pan Kae geht vis {5 PRs A see 
k dy " 70 í ki m ki LE LA 
re, SEL a Er ehe cl Y wn? © RE Ç n TY A A ka e AIN L. KAN 
lad O is SAN; « ay TT jan 4 Dd m, 077, ela, kL 5 
H KER SPUNEA nF EI EL YET BETH FLAN PW OF YOn E Nae ee O 
er te hy ye Piya MA A De RR e he LAST AAA AA DE BEE LES At y 
= kafè Bal pda ya et th Fa A AO Lavi Panyen iy AO oir RC Pu 4 Ir! M 
$ um, os w ER Ay Para ATI i tae unge Nr ¿0,8 7 UF * | i A 0% 





















LAN AEA THE LAN a En A IO tg 






ra EA de w si 


































ee L yom e PAU ELTEL E A E NA AN aii LISA dá E AIM A ed 
e An pa re ar DO URN ao AA 3 * ART po ki ar Fur, Li JAL. mw ka "T r$ Fi Zr 
en wale: E AA Fis ke TE Le mn pi. Ba EA Ku Mk de AN Yo son o's Li Won 44 es a PUE de u E A fas A Fir 
Fun AR TA a $a; PANE Yaki AL As AE u e 
SF SUSE sr nouè kika ki W ise eS ENE ie Ay, i y b, ie AM t] 2 ki eya ` Li Mi UM dry 
CESE ER ET SA i. ZE kè 27) Yui Ves Y 





MTL A A 






WA 13 TAA yen je Fot E 

hia Tide IE MOET Ke H dr WG; A AQ A di erecta Cos a A 

ie PLE YO W yo KARL You LAN, ESE ET SO SOC as ky W; h A 
Fe wi “jè ALE A AL AA y - 


oe op Uae ye y sij On Er pa í A 
zan kI Son RL, EN E k Less bes RN BE RETTET van PAS ; AA 
EE 


ba ty BL in 4. Y (TAYE AN eo BY A > MA yo Me ”. I 
Te w + > rh OO at Witt GM 3 pe 
MUI 







ch 
E ky 
a Apr N: yan y as 
DE hai a ps TRE O 
Ay T AE nn 
al 


NGO are OH YE AN Ze Ye 
ay, Eh yk 






















; 
LA o < 


desa. n w 

































































A at Ke $ EuS ub ç 1 
etik Ma A ore ar F ER i KAT ray ki rc SAN Bart, $ ir : SU a >$ 
NR en ae NE NIEREN 
KA 7 mi aie DA ke ash. vi sa YÈ DEA a NENNE, 
ps pè Mw Saab MAL A AA AN EN Aa A Ag Aa LE AS eh ha A N APAE tA N 
a a as Ent kek Wayne nor ae av A OS AL) FA r we ty dah 
A 


¿Hp 
AE N MEZ PR) pb tec yrange hak ok w 
en EIKE Ehe in baton kwen Kisa o ada 
A AA FA Pha a O] 2 Y 
ad esti pk ee ee EL Cee AAA Mehr 
ty DA a AA SECANO EAS e e de FA 
ll DARAS YÁ. e ny kes kk ba VON DAN ken) L Wè 
onn ES SS ann Ra W 
x rèt A yr s 
a pda la JI ia ar A] inh i EA cd AAA a we reo 
a. 4, PA TE A E AFi IT 


a ei 
E ma ai A un Ly Di pr O uh 
A a an (Le “oi 


g U YE Yo aw Da 
ñ YAR E CRI PSPL 
TE LA LD a A 
| 




















he oy AH y 
A 


DNI 








Tech ` a 


































M Er ee ¡A yr | ae Fibs IE TA Di a: q 9% 
sr aro DA de etn ¥ ¿i Ç: PEEN RT TI L m SA; 11220027 LY E] ae OUI 
AT ¿tail a Aa a Na ta EA PAS att NO bs ON ye Hu akte DA kè 

A Ak E eer a kazak Yon EN a KA ki Sa Ba N WA Ra Achten! LEE? 
A TY rs cae 9 ig n N QU AAA IS ON $3, ©! AZ A 
ar MA or ia rain preety. UN Ë etic a are erry: UR 

bide de ER LE A Ya "LMK TRA Py N 
PA eh aa pe ARA A Sear int Mk Ne ti bé ke Bi Y t 

EA EET kou yode NR Pa) ñ fi ata sti 4.33% 


CE ap m ore 











A SE RSA ew waere AAN pen i fè ey ae WT 
A o bet ee MORIN ate, en he. R AA 34 w. ni? pè Ay he als YA AZI pl a KR Er $ zh Kek ta Va fe JUL, Hat Fe og," dr oP 





